How do clients know when secrets have changed?

This is about using a Vault library (Spring Vault), so bear with me. I have a use case for Vault which I’m not sure is feasible:

We have Spring Boot projects which require several secrets. Currently, these are static secrets kept in properties files. We would like to move these secrets to Vault and consume them at runtime. So far, so good - the Spring Vault library allows us to set properties from Vault when the application starts.

However, what happens when the secret changes? In my perfect world, the client is aware of when the secret changes and updates the value. One way I can imagine having to do this is retrieving the version of the kv secret, and polling vault to see whether a new version is available, then implementing some internal logic in the application to change the value.

This seems like it might put some strain on Vault and generate unnecessary traffic.

Does this sound like a good way to go?

Any advice from folks who have Vault integrated into their applications would be of great help.


Seems like a solid option to me.

I can think of two other methods that may work each with their own benefits/drawbacks (note: I’ve not actually implemented any of these - just my thoughts on some potential options):

  1. Add an “expires_at” attribute to your secret and have your spring code check back in when that value is reached. Obviously this won’t handle emergency rotations so may not be a great option depending on the criticality of this service and how frequently the secrets are expected to be rotated normally.
  2. Use the existing secret until there is an access denied or equivalent response then trigger a re-retrieval from Vault. Cuts down on unnecessary communications to Vault and accommodates emergency rotations but may result in slower response during rotation events.

I’m also curious how others have implemented in practice.